Allow HTTP authentication (for an API, etc)

Question

Allow HTTP authentication (for an API, etc)

Closed this issue 14 years ago · 10 comments

Hi,

I needed to have HTTP authentication on current project using Clearance, and discovered Clearance does not provide it. I implemented it as following patch:

http://gist.github.com/159604

Does adding feature like this make sense to you?

(Note: I've tried to implement it directly to Clearance, but have not found an obvious way where to put the tests. I could not persuade AccountsControllerTest to have access to User or Factory(:email_confirmed_user) etc and had to give up.)

pius commented 15 years ago

+1

Answer 1 · 2009-08-22T05:04:36.000Z

+1 This would be a helpful feature to add to Clearance.

Answer 2 · 2009-09-01T13:28:16.000Z

Yep agreed. Clearance is awesome, but no http auth is a showstopper for most of my customers' projects. +1

Answer 3 · 2009-11-04T16:30:55.000Z

Can Rack::Auth be used instead of altering Clearance?

http://rack.rubyforge.org/doc/Rack/Auth/Basic.html
http://www.sinatrarb.com/faq.html#auth
https://sinatra.lighthouseapp.com/projects/9779/tickets/16-patch-http-authentication

If not, why?

Answer 4 · 2009-11-07T10:04:36.000Z

Hello Dan,

I think the main reason here is convenience. When it's built-in, we get HTTP-Auth for non-HTML requests automatically, quite transparently, and stupidly easy.

To use Rack::Auth::Basic middleware for this in Rails, one has to do (and please correct me if I'm mistaken!!):

Add the middleware somewhere in the stack
Intercept calls to non-HTML requests, do the ::User.authenticate(login, password) authentication,
somehow (?) set the @_current_user variable to be available for controllers

Again, correct me if I'm wrong. I haven't tried it, I am just thinking aloud.

Of course, I completely understand the need to keep Clearance lean. I just think the lack of HTTP-Auth for non-HTML requests is something which puts unneccessary burden on the library users -- and more so, if they're beginners etc.

(Now, Sinatra is obviously another story. You expect to operate much closer to the metal.)

Karel

Answer 5 · 2010-02-17T00:01:55.000Z

We're going to pass on this patch. Thanks for the effort but we don't think it belongs in Clearance. We're comfortable (and prefer the explicitness of) using Rack::Auth for our APIs:

use Rack::Auth::Basic do |username, password|
username == 'foo' and password == 'bar'
end

Thanks again.

Answer 6 · 2010-02-17T09:30:57.000Z

Hi, sure, understood! In that case I think some info or short tutorial in Clearance docs about how to concretely implement HTTP based auth in a Clearance application would be great. (The usual use-case is something like "give me JSON export with recent photos for the authenticated user", etc)

Answer 7 · 2010-02-17T15:53:27.000Z

Definitely. I've tagged this issue as 'docs' and will try to get to it in the next few days.

Answer 8 · 2010-12-26T09:46:01.000Z

I've packaged HTTP Auth for Clearance as a gem: https://github.com/karmi/clearance_http_auth (It works by setting an env variable in middleware and overloading current_user to read it.)

Answer 9 · 2010-12-26T17:17:51.000Z

Very nice. Well done!